--- title: "Secrets" description: "REST endpoints for secrets. Bearer-auth required." section: "API" group: "REST" order: 57 --- ## GET /api/secrets List secrets with pagination. Values are never returned. **Query parameters** - `limit` (optional): Page size (1–100, default 100). - `after` (optional): Keyset cursor — return the page after this row (next page). - `before` (optional): Keyset cursor — return the page before this row (prev page). - `ids` (optional): Comma-separated list of IDs. Narrows results to these IDs within the caller's accessible scope (does not bypass access checks). - `filter` (optional): Nested filter expression (`Filter`): AND/OR/NOT + per-field comparison operators + relation traversal. JSON-encoded on the query string. - `orderBy` (optional): Multi-key sort (`OrderBy[]`): array of `{ field: direction }` applied in order. Directions: asc/desc plus the four explicit nulls variants. JSON-encoded on the query string. - `workspace_id` (optional): Filter secrets to this workspace. - `include_deleted` (optional): Soft-deleted secret visibility. `false` (default) — active rows only. `true` — active plus soft-deleted. `only` — soft-deleted only. - `name` (optional): Case-insensitive substring match on name. - `created_by` (optional): Shorthand: filter where `createdBy` equals this value. **Response** ```json { "data": [ { "id": "<...>", "workspaceId": "<...>", "name": "<...>", "hint": "<...>", "metadata": "<...>", "createdBy": "<...>", "createdAt": "<...>", "updatedAt": "<...>" } ], "pageInfo": { "total": "number", "hasNextPage": "boolean", "hasPreviousPage": "boolean", "startCursor": "string", "endCursor": "string" } } ``` ## POST /api/secrets Create a secret **Request body** ```json { "workspaceId": "string", "name": "string", "value": "string", "metadata?": {} } ``` **Response** ```json { "id": "string", "workspaceId": "string", "name": "string", "hint": "string", "metadata": {}, "createdBy": "string", "createdAt": "string", "updatedAt": "string" } ``` ## GET /api/secrets/{id} Get a single secret by ID (metadata only — never the value). **Path parameters** - `id` (required): Secret to retrieve. **Response** ```json { "id": "string", "workspaceId": "string", "name": "string", "hint": "string", "metadata": {}, "createdBy": "string", "createdAt": "string", "updatedAt": "string" } ``` ## PATCH /api/secrets/{id} Update a secret **Path parameters** - `id` (required): The secret's prefixed ID. **Request body** ```json { "name?": "string", "value?": "string", "metadata?": {} } ``` **Response** ```json { "id": "string", "workspaceId": "string", "name": "string", "hint": "string", "metadata": {}, "createdBy": "string", "createdAt": "string", "updatedAt": "string" } ``` ## DELETE /api/secrets/{id} Soft-delete a secret. **Path parameters** - `id` (required): Secret to soft-delete. **Response** ```json { "success": "boolean" } ``` ## DELETE /api/secrets/{id}/purge Permanently delete a soft-deleted secret (erasure — removes the ciphertext). **Path parameters** - `id` (required): Soft-deleted secret to permanently delete. **Response** ```json { "success": "boolean" } ``` ## POST /api/secrets/{id}/restore Restore a soft-deleted secret. **Path parameters** - `id` (required): Soft-deleted secret to restore. **Response** ```json { "id": "string", "workspaceId": "string", "name": "string", "hint": "string", "metadata": {}, "createdBy": "string", "createdAt": "string", "updatedAt": "string" } ```